Hitting back at cyberattackers: Experts discuss pros and cons

MIAMI -- The questions are being asked more often: When a cyberattack hits your network, is it right to launch a counter-attack of some type to try to at least identify the source if not stop it? Since the wheels of justice do indeed grind slowly, should frustrated IT professionals with security skills take matters into their own hands or hire others to do so?

"You want to go after them and block them," said David Willson, an attorney and retired Army JAG officer who, like other lawyers in the field, is concentrating on understanding the limits of what IT and security managers can or should do under the limits of today's law. Speaking at the Hacker Halted conference, Willson said there is no consensus among lawyers focusing on this topic. But he emphasized that companies being attacked "should look beyond your network and figure out what's coming after you," and there's a case to be made that you should "strike back defensively."

"Can you do it technically? Yes. Legally? I'd argue, yes," he said. Although some have argued in the past that even using a network-based honeypot to fool cybercriminals into thinking they've broken into a network is illegal, Willson said he disagrees. Companies might want to try and pinpoint attackers through use of so-called beacons and "digital dye-packs," such as documents that when stolen can report back where they are.

But there are tough questions about how far an IT manager can go to actually try and pursue attackers who are often organizing and launching attacks through compromised computer systems all over the world. The U.S. Computer Fraud and Abuse Act, which applies to anyone in the U.S. regardless of what they do across the global Internet, suggests you can't make unauthorized entry into a computer owned by another entity.

Willson says this law, too, gets argued over as to what unauthorized access really means. But he says companies should believe they have the right to "defend persons or property." This means that potentially the corporate management in an organization -- not the IT department, he says -- could make a decision to go after an attacker in some way based on risk, liability and other legal issues.

This general concept is being described in the security industry as "active defense," and Willson advocates that organizations pull together a team to have an active defense plan and a way to document findings. "You have to make the CEO as comfortable with this as possible," he said, because active defense may become something that could be challenged in court.

Dmitri Alperovitch, CTO at startup CrowdStrike, which is launching its own active defense-style services, says to his knowledge there has not yet been a significant legal case in this area, though if there were one, it might help distinguish how far the victimized organization can go to pursue and disrupt an attacker.

If there's a "marquee case" where "someone takes the bullet" in a court battle arguing for the ability to strike back in active defense, then the result might be to raise awareness that could get Congress to modify current law. He added that Microsoft has shown some success in lawsuits oriented toward dismantling botnets around the world by going after individuals running them and also revealing their identities.

"We need to get some deterrence," said Alperovitch. It's his opinion that nation-state industrial espionage that occurs over the Internet, often linked to China, is simply something that for political reasons the U.S. government does not want to take on as a public issue now. Despite the huge number of computer intrusions blamed on Chinese attackers stealing U.S. data from corporations and government over the past few years, the U.S. government is not motivated to make waves over it. "On the nation-state side, the government is locked in inaction," said Alperovitch.

Hacking back at servers where you think attacks have originated violates the law and "you don't get much out of it," said Alperovitch. Active defense, he said, is better understood as "offensive tactics" that could involve everything from attempting to get stolen data back to legal action and public relations-oriented actions to expose the identities of attackers in full and their motivations.

Although there's certain to be debate, CrowdStrike is starting with the basic belief that the private sector has the authority "to go into a server to get that data back," said Alperovitch. He said there's a common-law precedent, and an affirmation defense under the law. But the usual circumstances would be that you'd first call the FBI or other law enforcement and have them try and take action, but "if the government and law enforcement is unwilling or unable to take that action, you can," he said. "It's defense of property," along with the idea, "I'm holding you until the law arrives." He said there's a lot of precedent in the legal system for this, but it hasn't really been done before for cyberattack response and he acknowledges that court rulings would be uncertain.

In terms of active defense, there are also techniques related to deception that could come into play that are akin to distributing disinformation in order to fool an attacker. He said this could go way beyond honeypots, which he says aren't usually effective because they are hard to make realistic. Though he declined to divulge some details, he said the best types of counterattack deceptions are those in which disinformation is very targeted toward an attacker and you try to limit the spread. Here, too, the issue of both public relations and legal fallout exist because active defense tactics that go awry could have negative consequences for companies and governments.

In the end, though, the idea of "naming and shaming" the cyberattackers has real value, though there's always seems to be another attacker out there to fill the spot.

Sean Bodmer, threat intelligence analyst at security firm Damballa, who has worked hard to combat Russian cybercriminals in organized crime running botnets for financial gain by providing some technical assistance to the FBI with some operations, acknowledged some frustration in it. Speaking at the Hacker Halted conference this week, he said the gravity of what he sees coming from Russian cybercrime and Chinese-related espionage is immense. Law enforcement is "too slow" and they tend to have the mindset that "they're looking for the next big case," he said. He added he's now more optimistic about tactics that involve taking actionable information related to criminal activities and showing it directly to companies such as hosting providers in data centers where they will cut off criminal proxies, for example.

The idea that there should be direct action against attackers taken even in the course of identifying their unwanted presence in a corporate network is growing, however uncertainly. Jonathan Cran, chief technology officer at security firm Pwnie Express, advocated "fighting fire with fire" during his presentation at Hacker Halted. State-sponsored attackers are a fact of life and they will be using phishing, remote-access Trojans, and other stealthy means to accomplish exfiltration of stolen data, he noted. These so-called "advanced persistent threats" in the corporate network suggest there should be more focus on APT "counter attack" to develop "offensive capabilities" that shorten the time from detection to constraint. He said the idea of the typical penetration test needs to evolve into a process that will grant ways to hook the bad guy.

How the security industry will grow to engage -- within the confines of the law -- in active defense tactics is unclear, but sources planning the RSA Conference 2013 say they expect this to become a central theme in session tracks at the conference early next year.

Slideshows

ARN Connect - How can partners create customer value through cloud and security?

This exclusive ARN Connect event, in association with Juniper Networks and Westcon-Comstor, deep dived into the key customer priorities during the next 12 months, outlining emerging partner opportunities while drawing up a blueprint for cloud and security success.

Selling beyond the CIO – How partners can influence the new breed of tech buyers

This ARN Roundtable, in association with Oracle, highlighted the emergence of a new breed of technology buyer, assessing how partners can engage outside of IT, and the skills required to sell across new business units.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.